India probes latest alleged Co-WIN vax data breach
Photo courtesy of Co-WIN
The Ministry of Health and Family Welfare of India is now looking into reports of an alleged data leak from the COVID-19 vaccination platform Covid Vaccine Intelligent Network or Co-WIN.
WHAT IT'S ABOUT
Several media reports have shared posts from Twitter that the personal data of vaccinated individuals were found accessible using a Telegram bot. The bot is supposedly able to pull those data using the mobile number or the Aadhaar number (unique 12-digit number) of a person.
In a statement, the MOHFW denied the reports as "without any basis and mischievous in nature."
"Co-WIN portal of [the] Health Ministry is completely safe with adequate safeguards for data privacy," it said.
The ministry has already tapped the Indian Computer Emergency Response Team to investigate those reports while an internal exercise is now being conducted to review the existing security measures of the vaccination portal. In its initial report, CERT-In pointed out that the back-end database for the Telegram bot was not directly accessing the APIs of the Co-WIN database.
WHY IT MATTERS
Per the ministry, access to Co-WIN data is only possible via OTP authentication and at three levels:
-
Beneficiary dashboard: vaccinated individuals can access their own Co-WIN data using their registered mobile number with OTP authentication.
-
Co-WIN authorised users: vaccinators with an authentic log-in credential. Their log-ins are being tracked and recorded by the system.
-
API-based access: third-party apps providing authorised access to Co-WIN APIs can also access an individual's vaccination data only by using the vaccination beneficiary's OTP.
The MOHFW clarified that a Telegram bot cannot share any Co-WIN data without the individual's OTP and that it cannot capture their address.
The development team behind Co-WIN assures there are no public APIs that can pull data from the vaccination platform without an OTP, although there are some APIs that have been shared with third parties, like the Indian Council of Medical Research, for data sharing purposes.
Meanwhile, the API as described in the reports is "very specific and the requests are only accepted from a trusted API which has been white-listed by the Co-WIN application," the ministry noted.
Additionally, the MOHFW said that security measures, including web application firewall, anti-DDoS, SSL/TLS, regular vulnerability assessment, and identity and access management, among others have been in place on the vaccination platform.
THE LARGER TREND
This is the third time that allegations of a Co-WIN data leak have been reported. Last year in January, it was alleged that vaccination data, including the personal information of about 20,000 people, were being sold in an underground database marketplace. Such reports were later brushed off the by the ministry, which assured that the portal keeps people's data "safe and secure." Before this, it was also reported that the COVID-19 vaccination database from India was being sold on Data Leak Market, which the government also denied.
Co-WIN went live in January 2021 to serve as a platform where citizens can book vaccination slots and download their vaccination certificates digitally. Regarded as a force of public good, Co-WIN's API was made open-source by the government six months later.
Meanwhile, the Indian government has upgraded the Co-WIN platform to track all vaccinations against common preventable diseases, including measles and rubella.